Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
4
Replies

anyconnect VPN certificate authentication Local and External CA

alexdelangel
Level 1
Level 1

‎05-25-2015 10:46 AM - edited ‎02-21-2020 08:14 PM

Hi Team,

 

I hope you are doing well! I´ve got a question with you, hope you can help me. We´ve got an 8.4(6) 5550 ASA concentrating anyconnect VPN´s authenticating via local CA certificate. Since we want to perform failover, so we must change to an external CA.

 

The question is, if I can create a new VPN profile (tunnel-group) and authenticate via the new external CA, while keeping in the other profile the authentication with the local CA. I mean, can both local and external CA live at the same time? Can I authenticate one tunnel-group via the certificate of the local CA, and authenticate the second tunnel-group via the certificate of the external CA?

 

Plase, feel free to request as much information as needed. Any comment of documentation will be appreciated.

 

Best Regards!

Labels:
0 Helpful
4 Replies 4

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎05-25-2015 12:07 PM

Hi Alex,

If you have two tunnel groups using two different trustpoints (using two different certificates), there shouldn't be a problem. You have can have multiple CA certs.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

alexdelangel
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-26-2015 06:46 AM

Hi Fnu,

 

Thank´s for the answer, I´ve tried to find a config guide for this but not succeeded. Since the tunnel-group configuration there is not an option to specify wich certificate to use, I mean the commands just would be:

 

tunnel-group certgroup webvpn-attributes
 authentication certificate
 

So, I haven´t found how to specify to another tunnel-group to authenticate with another certificate, have you find a config guide?

 

Best Regards,

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to alexdelangel

‎05-26-2015 06:54 AM

Hi Alex,

Oh its anyconnect. I am sorry i somehow read it to be a normal lan to lan tunnel. I am not too sure about anyconnect. Let me check and get back to you. I think you should still be able to do it when you configure tunnel ipsec attributes.

 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

 

0 Helpful

Andres Villarroel
Level 1
Level 1
In response to alexdelangel

‎05-26-2015 07:16 AM

Hello alexdelangel,

 

As long as you have the CA certificate installed in the ASA of the new identity certificates that your users are using for authentication, you should be able to authenticate all of them in any VPN profile. Unfortunately, you can't assign a specific trustpoint per VPN profile in AnyConnect (like you would do in IPsec) but you can force certain certificates characteristic for a specific connection profile (tunnel-group) using certificate mapping.

 

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc16

0 Helpful
Customers Also Viewed These Support Documents